Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Making

User Authentication

More Usable
Jim Fenton

@jimfenton
Context
I’m a consultant to the National Institute of Standards
and Technology
Focusing on revising US Government digital ...
About SP 800-63
NIST Special Publication
800-63, Digital Identity
Guidelines
Intended for federal
government use, but
also...
Four-volume Set
Enrollment and

Identity Proofing

SP 800-63A
Authentication and

Lifecycle Management

SP 800-63B
Federati...
Executive Order 13681, “Improving the Security

of Consumer Financial Transactions”
“…ensure that all agencies making pers...
Who are the Users?
Everybody:
Non-English speakers
Homeless people
Disabled veterans
Hospital patients
Physicians
Elderly
...
Usability Emphasis in

SP 800-63-3
Engaged NIST human-factors specialists
Included a Usability Considerations section in e...
Related Concepts
Accessibility: Can users with various disabilities
authenticate?
Availability: Can users authenticate und...
Authenticators
Nine authenticator types defined
Memorized secret (password, PIN, etc.)
Look-up secret
Out-of-band device
Si...
Factors
There are three authentication factors:
Something you know (password)
Something you have
Something you are (biomet...
Memorized Secrets
Passwords, passphrases, PINs, etc.
Memorized Secrets
Passwords are:
Most used authenticators
Most hated authenticators
Relatively weak
But they’re the only “...
Making Passwords More
Usable
Action Rationale
Get rid of composition rules
(include digits, symbols, etc.)
Frustrating for...
Frustration vs. Security
Recommend use of a blacklist for common passwords
Unfortunately not very transparent
Frustrated u...
Password Visibility
Passwords are obscured to
inhibit “shoulder surfing”
Makes correct entry more
difficult, and often there...
Pasting
Some sites disallow pasting:
<input type="test" onPaste="return false”>
Also disables password managers
Done to en...
Other Authenticators
Look-up Secrets
List of machine-generated
one-time secrets
Not intended for memorization:
typically more complex
Less usab...
Out-of-Band
Requires a separate
communication channel,
usually separate device
Availability: cell phone
service is not alw...
Single-factor One Time
Password (OTP)
Requires transcription
from device to login
session
Time based OTP
imposes a time li...
Multi-factor OTP
Requires transcription of
secret from
authenticator to login
session
Typing on small device
may be challe...
Cryptographic Software
Authenticators
Example: client certificate (with or without passphrase)
Process for installation of ...
Single-factor

Cryptographic Device
Availability: Requires an
interface (e.g., USB) to
connect to
authenticating device
Lo...
Multi-factor
Cryptographic Device
Availability: Requires an
interface or adapter to
connect to
authenticating device
About Biometrics…
Need to reproduce conditions of enrollment
Choice of finger (fingerprint)
Lighting conditions (iris)
Facia...
Summary
There isn’t a perfect authenticator, from either a
usability or security standpoint
Services should support a vari...
Identity Proofing
Identity Proofing
Enrollment process: establishing that a digital identity
corresponds to a specific individual
Generally do...
Questions?
Próxima SlideShare
Cargando en…5
×

Making User Authentication More Usable

259 visualizaciones

Publicado el

A recent revision to the US Government’s authentication guideline, NIST SP 800-63B "Authentication and Lifecycle Management", puts a greater emphasis on the usability of authentication in its recommendations. This talk will discuss the ways in which it attempts to relieve the users’ burden and shift more responsibility to the services themselves, hopefully improving overall security in the process.

Presentation to BayCHI, December 12, 2017

Publicado en: Internet
  • Sé el primero en comentar

Making User Authentication More Usable

  1. 1. Making
 User Authentication
 More Usable Jim Fenton
 @jimfenton
  2. 2. Context I’m a consultant to the National Institute of Standards and Technology Focusing on revising US Government digital identity standards Everything here is my own opinion; I don’t speak for NIST! This talk focuses on the usability aspects of authentication, and the security aspects only incidentally
  3. 3. About SP 800-63 NIST Special Publication 800-63, Digital Identity Guidelines Intended for federal government use, but also widely used commercially and internationally
  4. 4. Four-volume Set Enrollment and
 Identity Proofing
 SP 800-63A Authentication and
 Lifecycle Management
 SP 800-63B Federation and Assertions
 SP 800-63C
  5. 5. Executive Order 13681, “Improving the Security
 of Consumer Financial Transactions” “…ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”
  6. 6. Who are the Users? Everybody: Non-English speakers Homeless people Disabled veterans Hospital patients Physicians Elderly Students Usability needs to consider all of these Not just Federal employees! Photo by Rob Curran on Unsplash
  7. 7. Usability Emphasis in
 SP 800-63-3 Engaged NIST human-factors specialists Included a Usability Considerations section in each volume (A, B, and C) Invited review on normative requirements that might affect usability
  8. 8. Related Concepts Accessibility: Can users with various disabilities authenticate? Availability: Can users authenticate under all circumstances?
  9. 9. Authenticators Nine authenticator types defined Memorized secret (password, PIN, etc.) Look-up secret Out-of-band device Single- and multi-factor OTP device Single- and multi-factor crypto software Single- and multi-factor crypto device
  10. 10. Factors There are three authentication factors: Something you know (password) Something you have Something you are (biometric) Authenticators may provide 1 or 2 of these
  11. 11. Memorized Secrets Passwords, passphrases, PINs, etc.
  12. 12. Memorized Secrets Passwords are: Most used authenticators Most hated authenticators Relatively weak But they’re the only “something you know” Security questions no longer acceptable
  13. 13. Making Passwords More Usable Action Rationale Get rid of composition rules (include digits, symbols, etc.) Frustrating for users, less benefit than expected Allow all printing characters plus space Maximum freedom in selection; no technical reason otherwise Allow Unicode characters Memorable passwords in all languages Very long maximum length Encourage long passwords, passphrases
  14. 14. Frustration vs. Security Recommend use of a blacklist for common passwords Unfortunately not very transparent Frustrated users make bad choices Weak passwords allowed Frustrated users Blacklist size
  15. 15. Password Visibility Passwords are obscured to inhibit “shoulder surfing” Makes correct entry more difficult, and often there is no shoulder-surfing threat Recommend making passwords visible on request Future browser feature??
  16. 16. Pasting Some sites disallow pasting: <input type="test" onPaste="return false”> Also disables password managers Done to enhance security, but probably encourages weaker passwords SP 800-63B discourages blocking pasting
  17. 17. Other Authenticators
  18. 18. Look-up Secrets List of machine-generated one-time secrets Not intended for memorization: typically more complex Less usable/accessible because they require manual transcription, subject to misread/mistyping Cheap and very suitable as a backup authenticator
  19. 19. Out-of-Band Requires a separate communication channel, usually separate device Availability: cell phone service is not always available Accessibility: Usually requires transcription of a secret from one device to another, often time-limited
  20. 20. Single-factor One Time Password (OTP) Requires transcription from device to login session Time based OTP imposes a time limit on this process Photo credit: Wikimedia Commons
  21. 21. Multi-factor OTP Requires transcription of secret from authenticator to login session Typing on small device may be challenging Photo credit: HID
  22. 22. Cryptographic Software Authenticators Example: client certificate (with or without passphrase) Process for installation of authenticator on user device should be considered Authenticators need to be organized for identification
  23. 23. Single-factor
 Cryptographic Device Availability: Requires an interface (e.g., USB) to connect to authenticating device Location of some ports is inconvenient for pushing the button Photo credit: Yubico
  24. 24. Multi-factor Cryptographic Device Availability: Requires an interface or adapter to connect to authenticating device
  25. 25. About Biometrics… Need to reproduce conditions of enrollment Choice of finger (fingerprint) Lighting conditions (iris) Facial hair, expression, glasses (face) Many modalities (fingerprint, iris, etc.) are not usable by some people Generally considered convenient to use, but familiarity is important
  26. 26. Summary There isn’t a perfect authenticator, from either a usability or security standpoint Services should support a variety of ways to authenticate and to enroll multiple authenticators per user
  27. 27. Identity Proofing
  28. 28. Identity Proofing Enrollment process: establishing that a digital identity corresponds to a specific individual Generally done only once at enrollment, but may be repeated if all authenticators are lost May be done in-person (preferred) or remotely Less sensitive to convenience, but more sensitive to accessibility (disabled, homeless, etc.)
  29. 29. Questions?

×